On July 25, 2019, Gov. Andrew Cuomo signed into law the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act), L. 2019, Ch. 117, which takes effect on March 21, 2020. The SHIELD Act amends the General Business Law to expand data breach notification requirements, strengthens attorney general oversight and imposes a requirement that businesses and individuals who own or license New York State residents’ private data employ “reasonable safeguards” to protect private information. The law expands data protection and data breach notification requirements to businesses and individuals located outside of the state.
Expansion of the Definition of ‘Private Information’
Private information was previously defined to mean personal information (i.e., any information that can be used to identify a natural person) plus one or more of the following: Social Security number, driver’s license or non-driver identification card number, account number, credit or debit card number along with any required security or access code (or other information that could permit access). This definition now includes an account, debit card or credit card number alone if no additional information is required to access the account, as well as biometric information (such as fingerprint, voice print or other digital representation of unique physical traits), or user name or email address along with the relevant security information that would permit access to the email account. Private information continues to exclude publicly available information from government records.
Broadening of the Definition of ‘Data Breach’
A data breach was previously defined as the unauthorized acquisition of private information. The SHIELD Act broadens the definition to include unauthorized access of data, even if there is no actual acquisition of data. The SHIELD Act further provides guidelines to determine whether information has been, or is reasonably believed to have been, wrongfully accessed. This includes considering indications that information was viewed, communicated with, used or altered by an unauthorized person.
Modification of Breach Notification Requirements
The SHIELD Act deletes the portion of the General Business Law that imposed breach notification obligations only on persons or businesses that conduct business in the state. Accordingly, any person or business that owns or licenses computerized data consisting of the private information of New York State residents is subject to the breach notification requirements, regardless of whether that person or business conducts business within the state.
The SHIELD Act, however, obviates notification obligations to individuals if the business determines and documents (such documentation must be kept for five years) that an inadvertent exposure was made by individuals authorized to access the information and is unlikely to result in misuse or harm. Notice to the attorney general of such a determination is required if the exposure affects over 500 New York State residents.
Additionally, businesses are relieved of notification obligations to individuals under the General Business Law if such notification already occurred pursuant to certain other enumerated statutes, including the Health Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach-Bliley Act. Notice, however, must still be served on the attorney general. The attorney general must also be provided such notice when an entity is required to provide individual notification of a breach that does not involve defined private information.
Individual notices are now also required to include information regarding state and federal agencies that provide breach response information and identity theft protection. Additionally, a copy of the template notice must be provided to the attorney general, the Department of State and the Division of State Police.
Extension of Statute of Limitations and Increased Civil Penalty for Breach Notification Violations
Instead of two years, the attorney general now has three years from the date of notice or when she/he becomes aware of a data breach notification violation to prosecute the violation. In no event is the Attorney General permitted to bring such prosecutions beyond six years from the date of an entity’s discovery of the breach, unless the entity made efforts to conceal the breach. Civil penalties for knowingly or recklessly failing to comply with breach notification obligations are increased from $10 to $20 per instance or $5,000, whichever is higher, but capped at $250,000 (formerly $150,000).
New Requirement of ‘Reasonable Safeguards’
The SHIELD Act further requires implementation of “reasonable safeguards” to protect the security and integrity of private information. Businesses that are required to comply with HIPAA, the New York State Department of Financial Services Regulations, or other state or federal data protection regulations would likely be found in compliance of the SHIELD Act requirements if they can prove compliance with other applicable regulation(s). Otherwise, businesses can comply by implementing a data security program that includes reasonable administrative, technical and physical safeguards. The SHIELD Act lists examples of such safeguards.
Small businesses (defined as businesses with fewer than 50 employees, less than $3 million in gross annual revenue over the preceding three years or less than $5 million in year-end total assets) are also required to comply with the “reasonable safeguards” requirement, but such safeguards may be proportionate to the size and complexity of the business, the nature and scope of its business activities, and the sensitivity of the information at issue.
The attorney general may seek an injunction and civil penalties in the amount of $5,000 for each violation. The SHIELD Act creates no private cause of action for violation of the “reasonable safeguards” requirement.
New York’s Identity Theft Prevention and Mitigation Services Act
Also on July 25, 2019, Cuomo signed the Identity Theft Prevention and Mitigation Services Act, L. 2019, Ch. 115, which took effect on September 23, 2019, and amends the General Business Law. Consumer credit reporting agencies are now required to offer “reasonable identity theft prevention services and, if applicable, identity theft mitigation services” for five years at no cost if consumer information is breached or reasonably believed to have been breached. Consumers must also be provided with all information necessary to enroll in such service and to request a security freeze. A credit reporting agency is only relieved of this obligation if, after an investigation, it determines that the breach is unlikely to result in harm.